[Bug] turning off key rotation causes existing keys/certificates to expire with no recourse

By: Pawel Pietrzynski named 21 Feb 2020 at 3:20 p.m. CST

3 Responses
Pawel Pietrzynski gravatar
When key rotation is turned off the existing keys with existing expiry are left in place and are due to expire by default in 2 days with no recourse other than manually regenerating the keys before they expire. As part of turning off key rotation, key expiry on certificates should be set to a reasonable time similar to certificate issue expiry of similar strength.
Gluu 4.0 Rhel 7.6
closed

Answers

By Aliaksandr Samuseu staff 21 Feb 2020 at 3:37 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Pawel. I believe the author of this feautre said before that even if key has expired, it shouldn't cause immediate trouble. But I'll ask him to review that possibility anyway. Thanks again for letting us know, your contribution is much appreciated.

By Aliaksandr Samuseu staff 26 Feb 2020 at 4:21 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Pawel. According to the dev team, it's not an issue, as in case when the key regeneration is disabled, it becomes server administrator's duty to maintain and renew the keyset using whatever means they seem suitable; they also can set whatever expiration time they need during this process. There are doc pages describing the procedure, and we also have prepared a console script that automates this process. Closing this ticket for now.

By Pawel Pietrzynski named 26 Feb 2020 at 4:31 p.m. CST

Copy
Pawel Pietrzynski gravatar
The only issue I can see then is initial keys are valid 2 days as hard-coded in setup. If you do not believe this is an issue then ok.

Post an answer